Thursday, 3 January 2013

Google.com cross site scripting and privilege escalation in Consumer Surveys

Hello,

I have recently found a persistent cross site scripting and privilege escalation in Google Consumer Surveys. Here are proofs of concept for both vulnerabilities:

Cross site scripting (XSS)

You can create a new Google Consumer Survey here. I have entered "</script><script>alert(document.cookie)</script> as name of my survey and clicked Continue. The JavaScript was executed. Now the problem was, how do I exploit this on other users?
When creating a survey, there are four steps. Step 1,3 and 4 links could be used to exploit it on other users, while Step 2 (still) gives a 500 Internal server error if viewing other people's surveys (I do not know why, maybe you can find something there :)). Here are the 3 links (the survey is deleted).

Visiting any of those three links would execute the JavaScript in your browser.
Screenshot:

Privilege escalationIn the same service, you could delete anyone's Consumer Survey with a single POST request. Keep in mind that this is a paid Google service.

A POST request to this URL with following parameters:http://www.google.com/insights/consumersurveys/delete_surveyPOST parameters:survey=c2mexgsedz4dc&xsrf-token=[Your-XSRF-token]&action=deleteYou could change survey parameter to any valid survey, and it would get deleted. When trying to visit a deleted survey, 500 Internal Server Error would pop out, and you wouldn't be able to view it. Thank you Google Security team for quick response and fix!